Releases: tiiuae/ghaf
Releases · tiiuae/ghaf
Release 25.12.1
This release is for x86 platforms, full testing has been performed with Lenovo X1 Carbon Gen11 and System76 Darter Pro
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version:bump for the next release by @clayhill66 in #1574
- cosmic: enable nm in login, replace nm-applet with cosmi's builtin by @kajusnau in #1575
- docs: add 25.11.1 release note by @clayhill66 in #1576
- performance module by @kajusnau in #1542
- shfmt: enable shfmt to align all the shell scripts by @brianmcgillion in #1578
- build(deps): bump js-yaml from 4.1.0 to 4.1.1 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1572
- build(deps): bump github/codeql-action from 4.31.3 to 4.31.5 by @dependabot[bot] in #1584
- build(deps): bump actions/checkout from 5.0.1 to 6.0.0 by @dependabot[bot] in #1583
- build(deps): bump astral-sh/setup-uv from 7.1.3 to 7.1.4 by @dependabot[bot] in #1585
- build(deps): bump starlight-blog from 0.25.0 to 0.25.1 in /docs by @dependabot[bot] in #1581
- build(deps): bump astro from 5.15.6 to 5.16.0 in /docs by @dependabot[bot] in #1582
- cosmic-applets: hide some buttons by @kajusnau in #1580
- modules/partitioning: fix disko builder permission error by @vadika in #1588
- unixbench: remove, it pull compilers to resulting closure by @avnik in #1589
- dynamic-hostname: fix Darter Pro uniqueness issue by @vadika in #1579
- docs: Add YubiKey integration documentation by @vunnyso in #1592
- modules/partitioning: remove xcp workaround by @Mic92 in #1593
- cosmic7: Update to the beta7 by @brianmcgillion in #1564
- AGX Industrial (64GB) target added by @emrahbillur in #1472
- jetpack-nixos: rebased by @brianmcgillion in #1591
- jetpack: fix cuda support by @brianmcgillion in #1595
- feat(givc): enable notifier and exec by @mbssrc in #1596
- Refactor cleanup by @brianmcgillion in #1594
- build(deps): bump github/codeql-action from 4.31.5 to 4.31.6 by @dependabot[bot] in #1598
- Implement PCI device management via vhotplug by @nesteroff in #1528
- performance: fix scheduler, fix dell performance by @kajusnau in #1586
- bump: docs depends and ghafpkgs by @brianmcgillion in #1604
- Ghaf kill switch GUI application by @vunnyso in #1577
- performance: add thermal limit adjustment option by @kajusnau in #1605
- Fix USB input devices hot-plugging by @nesteroff in #1608
- Firmware control by @brianmcgillion in #1607
- microvm: use a store image and not share /nix/store by @brianmcgillion in #1562
- iso: do not copy the system closure only the disk by @brianmcgillion in #1609
- givc: bump to include fix for shutdown hang by @kajusnau in #1610
- sysbench: Add back to the system PATH by @brianmcgillion in #1612
- devshell: add ghaf-flash to devshell, improve readability by @kajusnau in #1613
- cosmic: bump to cosmic beta 8 by @brianmcgillion in #1597
- Storedisk size and ghaf-vms (to list status) by @brianmcgillion in #1614
- killswitch: avoid re-blocking devices already in blocked state by @vunnyso in #1606
- bump: cosmic 9 by @brianmcgillion in #1616
- build(deps): bump github/codeql-action from 4.31.6 to 4.31.7 by @dependabot[bot] in #1618
- build(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 by @dependabot[bot] in #1621
- build(deps): bump astral-sh/setup-uv from 7.1.4 to 7.1.5 by @dependabot[bot] in #1620
- build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #1619
- cosmic: add pre-defined layouts and layout config by @kajusnau in #1617
- Update docs deps 20251209 042454 by @brianmcgillion in #1626
- logging: add MaxFileSec for journald by @everton-dematos in #1565
- Upgrade docs deps 20251209 080940 by @brianmcgillion in #1627
- jetpack-nixos: bump by @TanelDettenborn in #1625
- Bump mid dec by @brianmcgillion in #1629
- GhA: stop building in github runners by @henrirosten in #1631
- Flatpak fix: add browser detection and launch support by @jkuro-tii in #1587
- fix: fix softlock on incorrect password by @kajusnau in #1633
- desktop: add proper light/dark themes, unify chrome vm colors by @kajusnau in #1636
- bot: improve the copilot reviews by @brianmcgillion in #1638
- audit: Centralize ordering and systemd service override by @everton-dematos in #1635
- audio: disable pipewire logs by default by @kajusnau in #1640
- build(deps): bump cachix/install-nix-action from 31.8.4 to 31.9.0 by @dependabot[bot] in #1645
- build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #1644
- build(deps): bump astral-sh/setup-uv from 7.1.5 to 7.1.6 by @dependabot[bot] in #1643
- build(deps): bump tj-actions/changed-files from 47.0.0 to 47.0.1 by @dependabot[bot] in #1642
- build(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in #1641
- cosmic: bump to the latest stable by @brianmcgillion in #1632
- docs: bump by @brianmcgillion in #1648
- Update docs deps 20251216 073030 by @brianmcgillion in #1649
- Improve PCI device auto-detection and enable it in the demo-tower target for network devices by @nesteroff in #1650
- jetpack-nixos: bump by @TanelDettenborn in #1654
- 5080: switch to vhotplug network by @brianmcgillion in #1655
- Agx industrial ethernet by @emrahbillur in #1653
- build(deps): bump github/codeql-action from 4.31.7 to 4.31.9 by @dependabot[bot] in #1659
- ci/eval: rewrite script to use nix-eval-jobs --select by @Mic92 in #1658
- Pass NHLT table in intel-laptop target only when present on the host by @nesteroff in #1661
- docs: Add system logs architecture diagram and notes by @everton-dematos in #1662
- verity-images: Fix the installer to copy the image by @brianmcgillion in #1663
- audit/logging: add time-based audit log retention and journald transport label by @everton-dematos in #1656
- docs: add architecture notes on inter-VM channels, memory wipe, and secret handling by @vadika in #1666
- fix(pci-ports): start PCIe port range from 1 by @vunnyso in #1664
- Active Directory by @mbssrc in #1416
- Integrate Fleet MDM services by @vadika in #1590
- feat(installer): implement deferred disk encryption trigger by @vunnyso in #1670
- bump: wireguard-gui by @enesoztrk in #1615
- build(deps): bump astro from 5.16.5 to 5.16.7 in /docs by @dependabot[bot] in #1675
- build(deps): bump github/codeql-action from 4.31.9 to 4.31.10 by @dependabot[bot] in #1673
- build(deps): bump astral-sh/setup-uv from 7.1.6 to 7.2.0 by @dependabot[bot] in #1674
Full Changelog: ghaf-25.11.1...ghaf-25.12.1
Contributors
Mic92, avnik, and 14 other contributors
Assets 2
Release 25.11.1
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Lenovo T14 AMD
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
- System76 Darter Pro
What's Changed
- version: bump for new patches by @brianmcgillion in #1490
- lenovo-x1/gen12: drop Intel MEI communication controller by @vunnyso in #1489
- changing ping limitation config by @enesoztrk in #1488
- Restore default shortcut for lock screen by @gngram in #1485
- docs: Update CICD_general.drawio.png by @ktusawrk in #1491
- bump: use the latest ghafpkgs by @brianmcgillion in #1492
- audit: fix some zizmor audit findings by @brianmcgillion in #1494
- darter-pro: New SKU network pci path by @brianmcgillion in #1496
- doc: wireguard-gui by @enesoztrk in #1497
- add 25.10.1 release note by @clayhill66 in #1500
- docs: add current SLSA status by @ktusawrk in #1495
- Various desktop bug fixes by @kajusnau in #1499
- Update ghafpkgs and support packages by @brianmcgillion in #1503
- lib: fix the propogation to ensure correct lib by @brianmcgillion in #1504
- Updated docs by @brianmcgillion in #1505
- More docs by @brianmcgillion in #1506
- Enable ghaf usb applet by @gngram in #1466
- build(deps): bump astro from 5.14.7 to 5.15.1 in /docs by @dependabot[bot] in #1509
- Fix mismatched variable name by @avnik in #1507
- refactor: enable keep-sorted for large lists by @kajusnau in #1514
- Disable alerts on dangerous trigger by @henrirosten in #1515
- logging: implement journald-based local log retention by @juliuskoskela in #1511
- Enable nixf diagnose by @brianmcgillion in #1516
- chrome-extensions: update session buddy by @kajusnau in #1517
- End oct bump by @brianmcgillion in #1510
- cosmic-config: refactor cosmic config, add ghaf dark and light themes by @kajusnau in #1513
- Fix/xdg url handler by @enesoztrk in #1519
- systemd: restore user-runtime-dir service hardening by @gngram in #1520
- build(deps): bump astro from 5.15.1 to 5.15.3 in /docs by @dependabot[bot] in #1527
- build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in #1526
- build(deps): bump github/codeql-action from 4.30.9 to 4.31.2 by @dependabot[bot] in #1525
- build(deps): bump cachix/install-nix-action from 31.8.1 to 31.8.2 by @dependabot[bot] in #1524
- build(deps): bump astral-sh/setup-uv from 7.1.1 to 7.1.2 by @dependabot[bot] in #1523
- Bump november by @brianmcgillion in #1522
- chrome-extensions: fetch pinned versions by default by @kajusnau in #1529
- version: bump for the next release cycle by @brianmcgillion in #1534
- system: deprecated system paramater update by @brianmcgillion in #1533
- system76: Enable all by @brianmcgillion in #1535
- The lsp made me do it by @brianmcgillion in #1540
- cosmic: fix active hint overlapping secctx indicator by @kajusnau in #1541
- Remove OpenSSF Scorecard by @henrirosten in #1518
- Storage fixes by @mbssrc in #1538
- build(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by @dependabot[bot] in #1544
- docs: bump by @brianmcgillion in #1551
- Checks on push by @brianmcgillion in #1550
- build(deps): bump cachix/install-nix-action from 31.8.2 to 31.8.3 by @dependabot[bot] in #1554
- build(deps): bump starlight-blog from 0.24.3 to 0.25.0 in /docs by @dependabot[bot] in #1546
- build(deps): bump astral-sh/setup-uv from 7.1.2 to 7.1.3 by @dependabot[bot] in #1553
- ci-tests: fix by @brianmcgillion in #1555
- Prevent running authorized actions in empty environment by @henrirosten in #1556
- bump: Cosmic beta5 by @brianmcgillion in #1543
- Add nixos-rebuild audit rule by @everton-dematos in #1508
- Fix audit rules service on Zathura VM by @everton-dematos in #1557
- installer: use the latest kernel in installer by @brianmcgillion in #1558
- flatpak-vm: Add a vm to allow installing flatpaks using cosmic store by @vunnyso in #1502
- refactor(homes): persist appvm homes by default by @mbssrc in #1560
- Lenovo t14 amd by @Mic92 in #908
- generate-shutdown-ramfs.service failure by @gngram in #1563
- fix(xdg-handlers): manage appuser mimeapps.list via systemd tmpfiles by @enesoztrk in #1559
- Add dynamic hostname generation for hardware-based device identification by @vadika in #1512
- net-vm,gui-vm: Enhance xdg-dbus-proxy with system bus D-Bus proxy by @jkuro-tii in #1432
- Fix printf octal interpretation error in hostname generation by @vadika in #1566
- Add memory wipe on allocation/deallocation by @vadika in #1530
- build(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by @dependabot[bot] in #1570
- build(deps): bump actions/checkout from 5.0.0 to 5.0.1 by @dependabot[bot] in #1569
- build(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by @dependabot[bot] in #1568
- build(deps): bump cachix/install-nix-action from 31.8.3 to 31.8.4 by @dependabot[bot] in #1567
- build(deps): bump astro from 5.15.5 to 5.15.6 in /docs by @dependabot[bot] in #1571
Full Changelog: ghaf-25.10.1...ghaf-25.11.1
Contributors
Mic92, avnik, and 14 other contributors
Assets 2
Release 25.10.1
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
- System76 Darter Pro
What's Changed
- build(deps): bump astral-sh/setup-uv from 6.7.0 to 6.8.0 by @dependabot[bot] in #1446
- version: bump for the next target release by @brianmcgillion in #1451
- Docs: bump to the latest by @brianmcgillion in #1450
- docs: add 25.09.3 release note by @clayhill66 in #1454
- Add a CLI tool to manage USB devices, fix USB suspend/resume and make killswitch persistent by @nesteroff in #1445
- chrome: revert dedicated profiles for apps and browser by @kajusnau in #1452
- Add audit rule to log sudo/privilege escalations by @everton-dematos in #1453
- Enable hwdb in systemd by @nesteroff in #1456
- build(deps): bump astro from 5.14.1 to 5.14.4 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1457
- Bump: control panel by @vunnyso in #1458
- build(deps): bump cachix/install-nix-action from 31.7.0 to 31.8.0 by @dependabot[bot] in #1459
- build(deps): bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @dependabot[bot] in #1460
- build(deps): bump github/codeql-action from 3.30.6 to 4.30.8 by @dependabot[bot] in #1461
- build(deps): bump astral-sh/setup-uv from 6.8.0 to 7.1.0 by @dependabot[bot] in #1462
- bump: mid september bump by @brianmcgillion in #1431
- Refactor trusted browser and add build-time chrome extension support by @kajusnau in #1455
- fix: adding usb quirks for some of eth-to-usb adapters by @enesoztrk in #1464
- kernel: refactor our kernel generation code by @brianmcgillion in #1465
- docs: bump the base package versions by @brianmcgillion in #1468
- microvm: storageVM encryption support for all VMs by @hros-tii in #1408
- Update copyright lines by @ktusawrk in #1470
- dell-7330: enable hotkeys in guivm by @kajusnau in #1469
- build(deps): bump github/codeql-action from 4.30.8 to 4.30.9 by @dependabot[bot] in #1476
- build(deps): bump astral-sh/setup-uv from 7.1.0 to 7.1.1 by @dependabot[bot] in #1475
- build(deps): bump cachix/install-nix-action from 31.8.0 to 31.8.1 by @dependabot[bot] in #1474
- build(deps): bump starlight-links-validator from 0.18.1 to 0.19.0 in /docs by @dependabot[bot] in #1477
- build(deps): bump astro from 5.14.5 to 5.14.7 in /docs by @dependabot[bot] in #1478
- Bump mid oct by @brianmcgillion in #1471
- docs: bump by @brianmcgillion in #1480
- bump: update all the dependencies by @brianmcgillion in #1481
- version: bump by @brianmcgillion in #1482
- session-buddy: Update the hash to version 4.0.5 by @vunnyso in #1484
- rtl8126: fix the kernel version to match kernel by @brianmcgillion in #1486
- Add givc-cli to GUI VM by @avnik in #1473
- Revert "version: bump" by @brianmcgillion in #1487
Full Changelog: ghaf-25.09.3...ghaf-25.10.1
Contributors
avnik, brianmcgillion, and 9 other contributors
Assets 2
Release 25.09.3
This release is an update for x86 platforms, full testing has been performed with Lenovo X1 Carbon Gen11 and System76 Darter Pro
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version: bump for the next release target by @brianmcgillion in #1429
- docs: bump core versions by @brianmcgillion in #1430
- Yubikey: Remove unused authorizedYubikeys by @vunnyso in #1428
- docs: add 25.09.2 rel note by @clayhill66 in #1435
- Add tls_config support to alloy server by @everton-dematos in #1433
- build(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.0 by @dependabot[bot] in #1440
- build(deps): bump astro from 5.13.10 to 5.14.1 in /docs by @dependabot[bot] in #1441
- build(deps): bump cachix/install-nix-action from 31.6.2 to 31.7.0 by @dependabot[bot] in #1439
- build(deps): bump github/codeql-action from 3.30.3 to 3.30.5 by @dependabot[bot] in #1442
- power: allow system vms to shutdown gracefully, preserve audio on shutdown by @kajusnau in #1434
- Jetpack mainline by @brianmcgillion in #1332
- Add ghaf-killswitch doc & Bump ghafpkgs for fix by @vunnyso in #1437
- Service hardenings by @enesoztrk in #1436
- Audio: Drop the removePciDevice workaround by @vunnyso in #1443
- Extending attack-mitigation module options by @enesoztrk in #1438
- Enable TLS for alloy client to server by @everton-dematos in #1444
- build(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @dependabot[bot] in #1447
- build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in #1448
Full Changelog: ghaf-25.09.2...ghaf-25.09.3
Contributors
brianmcgillion, enesoztrk, and 5 other contributors
Assets 2
Release 25.09.2
This is monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX, Lenovo X1 Carbon Gen11 and System76 Darter Pro platforms
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version: bump to the next target by @brianmcgillion in #1385
- Fix multiple code scanning security issues by @brianmcgillion in #1373
- Fix path injection vulnerability in GPS module subprocess call by @Copilot in #1387
- fix(chrome-vm, business-vm): multiple chrome fixes and adjustments by @kajusnau in #1348
- docs: fix the flake init template attribute by @elmankku in #1388
- build(deps): bump github/codeql-action from 3.30.1 to 3.30.2 by @dependabot[bot] in #1392
- cleanup: minor house keeping by @brianmcgillion in #1390
- docs: bump npm packages by @brianmcgillion in #1394
- script: Add script to update docs npm deps by @brianmcgillion in #1376
- Fix malformed mime type by @avnik in #1397
- build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #1399
- feat(vm-target): simple host ui by @mbssrc in #1400
- Bump givc to support BT mouse and add eventProxy Config by @vunnyso in #1395
- fix(vm): empty event proxy on host by @mbssrc in #1401
- Bump: Update microvm.nix module by @vunnyso in #1402
- docs: add ghaf-25.09.1 release note by @clayhill66 in #1403
- build(deps): bump github/codeql-action from 3.30.2 to 3.30.3 by @dependabot[bot] in #1404
- fix: Element issues by @enesoztrk in #1379
- Protect admin VM from VM controls by @slakkala in #1372
- feat: improve waypipe performance, adjust trusted browser by @kajusnau in #1398
- fix(logging): stop losing admin-vm logs across offline reboots by @everton-dematos in #1396
- bump: drop the qemu 10.1 carry patches by @brianmcgillion in #1405
- Add hardware information service for host-to-guest data passing by @juliuskoskela in #1380
- qemu: Use the new qemu api for battery/lid/power by @brianmcgillion in #1391
- docs: Add fake battery info by @brianmcgillion in #1410
- build(deps): bump astral-sh/setup-uv from 6.6.1 to 6.7.0 by @dependabot[bot] in #1411
- build(deps): bump tj-actions/changed-files from 46.0.5 to 47.0.0 by @dependabot[bot] in #1412
- docs: bump npm packages by @brianmcgillion in #1414
- dependabot: change the frequency of checks by @brianmcgillion in #1415
- feat(boot): enable graphical boot on guivm, fix darp11 graphical boot by @kajusnau in #1406
- disable suspension on darp11, increase guivm core count by @kajusnau in #1417
- Update vhotplug to support new config format and external API by @nesteroff in #1389
- Enabling fail2ban module by @enesoztrk in #1407
- Documentation addons regarding security architecture and features by @vadika in #1419
- Fix ctrl-panel VM starting by @slakkala in #1418
- lenovo-x1-gen11: Add TPM-backed encryption for the persist partition by @hros-tii in #1232
- build(deps): bump cachix/install-nix-action from 31.6.1 to 31.6.2 by @dependabot[bot] in #1422
- docs: bump NPM depends by @brianmcgillion in #1427
- Minor fix and Enable the disk encryption for 'mvp-user-trial' profile by @vunnyso in #1420
New Contributors
Full Changelog: ghaf-25.09.1...ghaf-25.09.2
Contributors
avnik, brianmcgillion, and 13 other contributors
Assets 2
Release 25.09.1
This Ghaf release is for x86 platform only and it has been fully tested with Lenovo X1 Carbon Gen11
Supported Hardware
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- System76 Darter Pro
What's Changed
- version: bump for the next release by @brianmcgillion in #1328
- hardware: Add the System76 Darter Pro by @vunnyso in #1327
- gha: Add the new system76 target by @brianmcgillion in #1329
- Fix brightness for System76 and script update by @vunnyso in #1330
- Lock user account after repeated failed login attempts by @gngram in #1324
- New features and bug fixes for login user by @gngram in #1320
- docs: add ghaf-25.08 release note by @clayhill66 in #1333
- Bump givc, enable xpadneo & Add BT device by @vunnyso in #1334
- build(deps): bump astral-sh/setup-uv from 6.5.0 to 6.6.0 by @dependabot[bot] in #1336
- build(deps): bump github/codeql-action from 3.29.10 to 3.29.11 by @dependabot[bot] in #1337
- Firewall blacklisting mechanism & testing by @enesoztrk in #1312
- bugfix: add temporary watchdog service for high-CPU processes by @kajusnau in #1335
- build(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by @dependabot[bot] in #1341
- Keys: add ssh key for Samuli by @leivos-unikie in #1342
- build(deps): bump cachix/install-nix-action from 31.5.2 to 31.6.0 by @dependabot[bot] in #1343
- build(deps): bump github/codeql-action from 3.29.11 to 3.30.0 by @dependabot[bot] in #1346
- build(deps): bump astral-sh/setup-uv from 6.6.0 to 6.6.1 by @dependabot[bot] in #1347
- ARP protection by @mbssrc in #1319
- enable graphical boot, bump ghafpkgs, adjust cosmic config by @kajusnau in #1339
- feat(ghaf-killswitch): Shell application to list, block and unblock by @vunnyso in #1340
- bump: including the qemu 10.1 on top of unstable by @brianmcgillion in #1338
- packages: move some packages to ghafpkgs by @brianmcgillion in #1345
- [StepSecurity] Apply security best practices by @step-security-bot in #1350
- gala: disable gala from the mvp profile by @brianmcgillion in #1349
- Add comprehensive GitHub Copilot instructions for Ghaf development by @Copilot in #1357
- Add GitHub Action to automatically update npmDepsHash for dependabot npm updates by @Copilot in #1355
- Fix sign off in automated workflow for DCO compliance by @Copilot in #1362
- Fix workflow triggers after npm dependency hash updates by @Copilot in #1364
- Add explicit treefmt formatting instruction to copilot-instructions.md by @Copilot in #1370
- Bump mk2 by @brianmcgillion in #1351
- Fix workflow_run triggered builds by checking out latest commit with updated npm hash by @Copilot in #1368
- dependabot: fix the triggering of updated hash by @brianmcgillion in #1371
- build(deps): bump astro from 5.9.2 to 5.13.5 in /docs by @dependabot[bot] in #1352
- build(deps): bump starlight-blog from 0.23.2 to 0.24.1 in /docs by @dependabot[bot] in #1353
- build(deps): bump @astrojs/starlight from 0.34.3 to 0.35.2 in /docs by @dependabot[bot] in #1358
- build(deps): bump sharp from 0.32.6 to 0.34.3 in /docs by @dependabot[bot] in #1359
- build(deps): bump starlight-links-validator from 0.16.0 to 0.17.2 in /docs by @dependabot[bot] in #1360
- docs: bump the npm packages and all the depends by @brianmcgillion in #1374
- aic: add gala as PWA by @brianmcgillion in #1377
- audit: add Nix-specific rules by @everton-dematos in #1344
- build(deps): bump github/codeql-action from 3.30.0 to 3.30.1 by @dependabot[bot] in #1381
- bump: early september by @brianmcgillion in #1383
- build(deps): bump cachix/install-nix-action from 31.6.0 to 31.6.1 by @dependabot[bot] in #1384
Full Changelog: ghaf-25.08...ghaf-25.09.1
Contributors
brianmcgillion, enesoztrk, and 9 other contributors
Assets 2
Release 25.08
This is a monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX and Lenovo X1 Carbon Gen11 platforms.
Supported Hardware
The following target hardware is supported by this release:
*NVIDIA Jetson Orin AGX
*NVIDIA Jetson Orin NX
*Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
*Dell Latitude 7230, 7330
*Alienware M18
*NXP i.MX 8M Plus
What's Changed
- version: bump version to August by @brianmcgillion in #1255
- build(deps): bump astral-sh/setup-uv from 6.3.0 to 6.3.1 by @dependabot[bot] in #1260
- Switch to preservation by @mbssrc in #1261
- build(deps): bump github/codeql-action from 3.29.0 to 3.29.1 by @dependabot[bot] in #1265
- feat(devshell): added options to force local/remote builds by @kajusnau in #1263
- docs: add ghaf-25.06 release note by @clayhill66 in #1262
- build(deps): bump github/codeql-action from 3.29.1 to 3.29.2 by @dependabot[bot] in #1266
- build(deps): bump step-security/harden-runner from 2.12.1 to 2.12.2 by @dependabot[bot] in #1267
- fix(greetd): Increase restart interval by @mbssrc in #1268
- Remove overriding of HOME system variable in AppArmor profile by @gngram in #1257
- refactor: refactor cosmic login config, simplify overlays by @kajusnau in #1270
- bugfix: adjust backlight brightness before login by @kajusnau in #1271
- build(deps): bump cachix/install-nix-action from 31.4.1 to 31.5.0 by @dependabot[bot] in #1272
- hybrid-gpu: Add config to support hybrid setup by @vunnyso in #1202
- bump: fix cosmic cross compile by @brianmcgillion in #1259
- build(deps): bump cachix/install-nix-action from 31.5.0 to 31.5.1 by @dependabot[bot] in #1274
- fix: explicitly require nettools by @brianmcgillion in #1275
- build(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0 by @dependabot[bot] in #1277
- build(deps): bump astral-sh/setup-uv from 6.3.1 to 6.4.1 by @dependabot[bot] in #1278
- build(deps): bump github/codeql-action from 3.29.2 to 3.29.3 by @dependabot[bot] in #1280
- Improve audit by @mbssrc in #1273
- bump: latest after long staging by @brianmcgillion in #1276
- build(deps): bump astral-sh/setup-uv from 6.4.1 to 6.4.3 by @dependabot[bot] in #1284
- build(deps): bump github/codeql-action from 3.29.3 to 3.29.4 by @dependabot[bot] in #1283
- Configurable network settings by @emrahbillur in #1236
- bump: remove carried patch by @brianmcgillion in #1287
- build(deps): bump cachix/install-nix-action from 31.5.1 to 31.5.2 by @dependabot[bot] in #1288
- kernel: revert back to the 6.12 LTS by @brianmcgillion in #1289
- build(deps): bump github/codeql-action from 3.29.4 to 3.29.5 by @dependabot[bot] in #1292
- bump: wireguard, control panel and givc by @brianmcgillion in #1290
- Allow jira.tii.ae access from buisiness-vm by @gngram in #1294
- gui-vm: Drop the stolen memory workaround kernel patch by @vunnyso in #1296
- Refactor and Simplify USB Passthrough Mapping for VMs by @gngram in #1295
- Bump control panel by @slakkala in #1297
- feat(xpadneo): Add module to enable wireless Xbox controller support by @vunnyso in #1298
- qemu: bump to latest rc of qemu by @brianmcgillion in #1301
- Basic firewall rules & testing by @enesoztrk in #1285
- Fixing logs duplication on remote by @everton-dematos in #1303
- docs: Document the overlays that we are carrying by @brianmcgillion in #1305
- v4l-utils: cross-compilation overlay by @avnik in #1299
- keys: Add Gayathri by @brianmcgillion in #1306
- Changes to the VM target by @hros-tii in #1302
- display: Drop x-igd-opregion device arg by @vunnyso in #1304
- build(deps): bump github/codeql-action from 3.29.5 to 3.29.6 by @dependabot[bot] in #1307
- bump: latest updates by @brianmcgillion in #1300
- Fix for SSRCSP-6902 (blueman-applet failure) by @gngram in #1308
- v4l-utils: remove desktop icons again by @avnik in #1309
- build(deps): bump github/codeql-action from 3.29.6 to 3.29.8 by @dependabot[bot] in #1310
- feat: enable COSMIC on Orins, improve desktop config by @kajusnau in #1244
- Setup normal exit for setup-ghaf-user service by @gngram in #1311
- build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #1313
- gui-vm: kernel use latest by @brianmcgillion in #1315
- bump: qemu-10.1.0-rc2 by @brianmcgillion in #1314
- overlays: intel-gpu-tools: Dynamic iGPU detection by @vunnyso in #1316
- build(deps): bump github/codeql-action from 3.29.8 to 3.29.9 by @dependabot[bot] in #1317
- feat(cosmic): propagate locale changes by @kajusnau in #1264
- Alienware: Control display brightness by @vunnyso in #1279
- build(deps): bump astral-sh/setup-uv from 6.4.3 to 6.5.0 by @dependabot[bot] in #1318
- qemu: bump to rc3 by @brianmcgillion in #1321
- Bump mid august by @brianmcgillion in #1322
- feat(desktop): add gpu screen recording with kb shortcut by @kajusnau in #1323
- Power management by @mbssrc in #1254
- build(deps): bump github/codeql-action from 3.29.9 to 3.29.10 by @dependabot[bot] in #1325
- build(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 by @dependabot[bot] in #1326
New Contributors
Full Changelog: ghaf-25.06...ghaf-25.08
Contributors
avnik, brianmcgillion, and 11 other contributors
Assets 2
Release 25.06
This is a monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX and Lenovo X1 Carbon Gen11 platforms.
This release complies with SLSA v1.0 level 3 requirements.
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13, Gen9 2-in-1
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
What's Changed
- version: Bump the version to start the June cycle by @brianmcgillion in #1221
- crazyflie: add the usb passthrough by @brianmcgillion in #1222
- Add GitHub actions security analysis with zizmor by @henrirosten in #1223
- build(deps): bump cachix/install-nix-action from 31.3.0 to 31.4.0 by @dependabot in #1225
- xbox: Add new variant by @brianmcgillion in #1226
- dell: Make network PCI device detection dynamic by @vunnyso in #1220
- Yubikey: Add FIDO2 device authentication for UI user by @mbssrc in #1224
- build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot in #1230
- bump: updates by @brianmcgillion in #1229
- build(deps): bump github/codeql-action from 3.28.18 to 3.28.19 by @dependabot in #1231
- feat: set COSMIC as default DE, related minor adjustments by @kajusnau in #1217
- build(deps): bump step-security/harden-runner from 2.12.0 to 2.12.1 by @dependabot in #1237
- docs: add ghaf-25.05 release notes by @clayhill66 in #1228
- docs: fix domain cname, improve contrast, and update deps by @humaidq-tii in #1238
- refactor: Modularize acpid and import of mitmproxy by @everton-dematos in #1227
- build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by @dependabot in #1241
- fix: hardware-scan was broken by @brianmcgillion in #1242
- hardware: add x1 2-in-1 gen9 by @brianmcgillion in #1243
- bump: update to the latest by @brianmcgillion in #1235
- vhotplug: Add option to prepend rules by @vunnyso in #1245
- apparmor: Fix the chrome policy by @brianmcgillion in #1246
- build(deps): bump astral-sh/setup-uv from 6.1.0 to 6.2.1 by @dependabot in #1248
- feat(logging): log service names by @mbssrc in #1250
- fix(bluetooth): remove bluetooth from host by @mbssrc in #1249
- Microvm boot order by @mbssrc in #1169
- build(deps): bump astral-sh/setup-uv from 6.2.1 to 6.3.0 by @dependabot in #1251
- guivm: add service to propagate gui-vm timezone changes to givc by @kajusnau in #1252
- Add GIVC documentation by @mbssrc in #1234
- build(deps): bump cachix/install-nix-action from 31.4.0 to 31.4.1 by @dependabot in #1253
New Contributors
- @everton-dematos made their first contribution in #1227
Full Changelog: ghaf-25.05...ghaf-25.06
Contributors
brianmcgillion, dependabot, and 7 other contributors
Assets 2
Release 25.05
ghaf-25.05
This tag was signed with the committer’s verified signature.
brianmcgillion
Brian McGillion
This is a monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX and Lenovo X1 Carbon Gen11 platforms.
This release complies with SLSA v1.0 level 3 requirements.
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10/11/12/13
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
What's Changed
- version: start the May release cycle by @brianmcgillion in #1173
- docs: update docs by @brianmcgillion in #1175
- docs: Add x86 GPU PT and hardware acceleration by @vunnyso in #1174
- terminfo: Install terminfo for better rendering by @brianmcgillion in #1176
- cosmic: Add an x1 target to trial cosmic desktop by @brianmcgillion in #1178
- iGPU: Add compute engine offload capability by @brianmcgillion in #1179
- refactor(desktop): remove sticky notes from cosmic, switch to oculante img viewer by @kajusnau in #1171
- cleanup: move packages to dt-gui by @brianmcgillion in #1181
- Docs: add ghaf-25.04 release notes by @clayhill66 in #1182
- Fix GPU Accelleration by @mbssrc in #1183
- bugfix: cleanup display tmp files on logout by @kajusnau in #1180
- docs: Point to new archive by @ktusawrk in #1177
- build(deps): bump cachix/install-nix-action from 31.2.0 to 31.3.0 by @dependabot in #1184
- build(deps): bump github/codeql-action from 3.28.16 to 3.28.17 by @dependabot in #1187
- fix(desktop): adjust ghaf-launcher env vars by @kajusnau in #1190
- New demo tower hardware with RTX 5080 by @mbssrc in #1186
- bump ghaf-givc by @gngram in #1185
- Add security context indicator to COSMIC by @nesteroff in #1193
- bump:wireguard reactivating buttons and improvements by @enesoztrk in #1192
- bump: jetpack-nixos by @TanelDettenborn in #1191
- build(deps): bump actions/dependency-review-action from 4.6.0 to 4.7.0 by @dependabot in #1194
- fix: add configurable password for mitmweb UI by @enesoztrk in #1197
- build(deps): bump actions/dependency-review-action from 4.7.0 to 4.7.1 by @dependabot in #1198
- feat: Kernel version option for NVIDIA Orin NX/AGX targets by @TanelDettenborn in #1195
- refactor: cosmic, labwc docs, desktop improvements by @kajusnau in #1200
- hardware: Add the lenovo x1 gen 13 by @brianmcgillion in #1199
- lenovo-x1-gen11-hardening: build image with dm-verity by @humaidq-tii in #1074
- build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @dependabot in #1204
- bump: standard bump by @brianmcgillion in #1158
- Orin rework by @emrahbillur in #1201
- Remove the older caches by @brianmcgillion in #1209
- fix: Include the latest version of sticky-notes by @brianmcgillion in #1206
- Fix Sticky Notes segfault in Cosmic by @gngram in #1210
- vhotplug: Set precedence of ChromeVM over AudioVM by @vunnyso in #1213
- fix: repair the imx8 building by @brianmcgillion in #1214
- usb: Added a common stub for external usb devices by @vunnyso in #1215
- docs: Migrate to Astro Starlight by @humaidq-tii in #1203
- bump: bump to pick up some fixes by @brianmcgillion in #1218
- Update COSMIC security context indicator patch by @nesteroff in #1205
- bump(ctrl-panel): bump ctrl-panel by @brianmcgillion in #1211
Full Changelog: ghaf-25.04...ghaf-25.05
Bug Fixes
Fixed bugs that were present in the ghaf-25.04 release:
- Sending bug report from Control Panel causes Control Panel to crash
Contributors
brianmcgillion, nesteroff, and 11 other contributors
Assets 2
Release 25.04
This is a monthly Ghaf release which has been fully tested on Nvidia Orin NX, Nvidia Orin AGX and Lenovo X1 Carbon Gen11 platforms. This release contains a major update of upgrading Linux kernel for Nvidia platforms to 6.6.75
This release complies with SLSA v1.0 level 3 requirements.
Supported Hardware
The following target hardware is supported by this release:
- NVIDIA Jetson AGX Orin
- NVIDIA Jetson Orin NX
- Lenovo ThinkPad X1 Carbon Gen 10, 11, 12
- Dell Latitude 7230, 7330
- Alienware M18
- NXP i.MX 8M Plus
What's Changed
- Add netvm kernel params and rtl8126 by @mbssrc in #1108
- Demo desktop by @brianmcgillion in #1107
- docs:add release note 25.03 by @clayhill66 in #1111
- feat(graphics): add idle management configuration option by @kajusnau in #1110
- nvidia: generalize the setup by @brianmcgillion in #1109
- bump: standard bump by @brianmcgillion in #1033
- docs: fix formatting and typo in release note by @clayhill66 in #1116
- Orin NX/AGX: Switch from nvidia bsp 5.15 kernel to upstream 6.6 by @TanelDettenborn in #1115
- vulkan: Add vulkan support for nvidia by @brianmcgillion in #1117
- build(deps): bump actions/dependency-review-action from 4.5.0 to 4.6.0 by @dependabot in #1118
- build(deps): bump cachix/install-nix-action from 31.0.0 to 31.1.0 by @dependabot in #1119
- VPN: Add wireguard-gui service by @enesoztrk in #1099
- UI Idle management by @mbssrc in #1120
- Update SCS section in Ghaf github.io pages by @ktusawrk in #1123
- Bug fix SSRCSP-5890 by @gngram in #1121
- build(deps): bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #1124
- chore: update pull request template by @kajusnau in #1127
- Fix hw name by @brianmcgillion in #1130
- build(deps): bump tj-actions/changed-files from 46.0.3 to 46.0.4 by @dependabot in #1131
- VPN: wireguard-gui integration to ghaf control panel by @enesoztrk in #1129
- debug: add some additional tools by @brianmcgillion in #1132
- feat: power manager module, refactor ghaf-powercontrol by @kajusnau in #1125
- build(deps): bump github/codeql-action from 3.28.13 to 3.28.14 by @dependabot in #1134
- fix: fix the xhci pt in gui-vm by @brianmcgillion in #1133
- bump: need the new firefox by @brianmcgillion in #1122
- fix: devshell by @brianmcgillion in #1136
- vhotplug: Enable type-c display for x86_64 variants by @vunnyso in #1135
- build(deps): bump github/codeql-action from 3.28.14 to 3.28.15 by @dependabot in #1137
- Refactor: Imports structure by @mbssrc in #1085
- Refactor: Add PCI devices to common by @mbssrc in #1138
- Fix typo by @mbssrc in #1140
- Fix ci devshell by @brianmcgillion in #1142
- Github actions: Evaluate devShells by @henrirosten in #1139
- keys: Add Milla to known devs by @brianmcgillion in #1144
- docs: Update Chapter 7. CI/CD in github.io pages by @ktusawrk in #1143
- fix: graphics dropped in refactor by @brianmcgillion in #1145
- build(deps): bump tj-actions/changed-files from 46.0.4 to 46.0.5 by @dependabot in #1146
- firefox: Make in to a reference program by @brianmcgillion in #1147
- desktop: add COSMIC Epoch DE by @kajusnau in #1104
- bump nixos-hardware by @gngram in #1148
- bump: fix wireguard-gui flake file for check command by @enesoztrk in #1151
- bump: nixos-hardware by @gngram in #1153
- Update vhotplug to fix issues with multiple devices with the same VID/PID by @nesteroff in #1149
- keys: Add new nixos key for rodrigo by @brianmcgillion in #1156
- bump: standard bump by @brianmcgillion in #1150
- intel-gpu: Cleanup the intel setup configuration by @vunnyso in #1157
- build(deps): bump cachix/install-nix-action from 31.1.0 to 31.2.0 by @dependabot in #1160
- bugfix: fix Falcon AI app not starting, rework package by @kajusnau in #1154
- Input devices: remove hardcoded evdevs by @mbssrc in #1159
- GhA: Authorize workflow by @henrirosten in #1161
- build(deps): bump step-security/harden-runner from 2.11.1 to 2.12.0 by @dependabot in #1162
- GhA: authorize.yml: url-encode actor by @henrirosten in #1163
- Adapt to microvm changes by @slakkala in #1165
- GhA: warn also on authorize.yml change by @henrirosten in #1166
- Support for AGX 64 GB is added with different target options. by @emrahbillur in #1164
- build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot in #1167
- testing: replace speedtest-cli with ookla by @brianmcgillion in #1168
- Fix: ids-vm networking by @mbssrc in #1170
- version number fix by @brianmcgillion in #1172
New Contributors
Full Changelog: ghaf-25.03...ghaf-25.04
Contributors
brianmcgillion, nesteroff, and 12 other contributors